CN112968913A - DDOS defense method, device, equipment and medium based on programmable switch - Google Patents
DDOS defense method, device, equipment and medium based on programmable switch Download PDFInfo
- Publication number
- CN112968913A CN112968913A CN202110404920.XA CN202110404920A CN112968913A CN 112968913 A CN112968913 A CN 112968913A CN 202110404920 A CN202110404920 A CN 202110404920A CN 112968913 A CN112968913 A CN 112968913A
- Authority
- CN
- China
- Prior art keywords
- server
- protected
- source
- flow
- programmable switch
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 59
- 230000007123 defense Effects 0.000 title claims abstract description 25
- 238000012549 training Methods 0.000 claims abstract description 24
- 230000002159 abnormal effect Effects 0.000 claims abstract description 19
- 238000012790 confirmation Methods 0.000 claims description 7
- 230000001360 synchronised effect Effects 0.000 claims description 6
- 239000000126 substance Substances 0.000 claims description 2
- 230000008569 process Effects 0.000 description 17
- 238000012545 processing Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 102100036409 Activated CDC42 kinase 1 Human genes 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 102100035221 Tyrosine-protein kinase Fyn Human genes 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The embodiment of the specification discloses a DDOS defense method, a device, equipment and a medium based on a programmable switch, wherein the method comprises the following steps: determining the running state of the server to be protected according to the access flow of the server to be protected; when the server to be protected is judged to be in a normal state, dynamically training the programmable switch, and recording a first source IP which has accessed the server to be protected; when the server to be protected is judged to be in a suspected abnormal state, if a third source IP accessing the server to be protected is judged to be strange IP flow according to a second source IP and a first source IP which are written in a white list in advance; if the strange IP flow is identified to be the DDOS attack flow according to the message information, the flow packet of the DDOS attack flow is uploaded to the control surface of the programmable switch, an alarm is sent out, the DDOS flow is identified through the programmable switch and is reported in time, the server to be protected is ensured to receive the normal flow, and user resources are effectively saved.
Description
Technical Field
The present disclosure relates to the field of network communication technologies, and in particular, to a DDOS defense method, apparatus, device, and medium based on a programmable switch.
Background
Distributed Denial of Service (DDOS) refers to that multiple attackers in different locations simultaneously attack one or more targets, or that an attacker controls multiple machines in different locations and uses these machines to attack a victim at the same time.
A complete DDOS attack system is composed of an attacker, a main control end, an agent end and an attack target. The main control end and the agent end are respectively used for controlling and actually launching the attack, wherein the main control end only issues commands without participating in the actual attack, and the agent end sends out actual attack packets of the DDOS. For computers at the main control end and the agent end, an attacker has control right or partial control right, and can hide and be undiscovered by various means in the attack process. Once the real attacker transmits the attack command to the master control end, the attacker can close or leave the network, and the master control end issues the command to each proxy host, so that the attacker can escape tracking. Each attack proxy host sends a large number of service request data packets to the target host, the data packets are disguised and the source of the data packets cannot be identified, and the service requested by the data packets usually consumes a large amount of system resources, so that the target host cannot provide normal service for users, and even the system is crashed.
Disclosure of Invention
One or more embodiments of the present specification provide a DDOS defense method, apparatus, device and medium based on a programmable switch, which are used to solve the following technical problems: when the server is attacked by DDOS, a large amount of traffic is generated, and a large number of invalid or slow requests occupy the broadband, resulting in normal traffic not being accessible.
One or more embodiments of the present disclosure adopt the following technical solutions:
one or more embodiments of the present specification provide a programmable switch-based DDOS defense method, the method comprising: determining the running state of a server to be protected according to the access flow of the server to be protected; when the server to be protected is judged to be in a normal state, dynamically training the programmable switch, and recording a first source IP which has accessed the server to be protected; when the server to be protected is judged to be in a suspected abnormal state, if a third source IP accessing the server to be protected is judged to be strange IP flow according to a second source IP and the first source IP in a pre-written white list; if the strange IP flow is identified to be DDOS attack flow according to the message information, the flow packet of the DDOS attack flow is uploaded to a control surface of a programmable switch, and an alarm is sent
Further, before the determining the operating state of the server to be protected according to the access traffic of the server to be protected, the method further includes: and configuring a server to be protected on a programmable switch, and setting a white list according to the known second source IP, wherein the flow of the second source IP in the white list can reach the server to be protected through the programmable switch.
Further, before the determining the operating state of the server to be protected according to the access traffic of the server to be protected, the method further includes: configuring a server to be protected on a programmable switch, and presetting a traffic threshold of a destination IP of the server to be protected, wherein the traffic threshold is used for ensuring the normal operation of the server to be protected; the determining that the server to be protected is in a suspected abnormal state specifically includes: and if the access flow of the server to be protected exceeds the flow threshold, judging that the running state of the server to be protected is a suspected abnormal state.
Further, if the strange IP traffic is identified as DDOS attack traffic according to the message information, the method specifically includes: and the message information comprises the number of the synchronous marks and the number of the confirmation marks, and if the number of the synchronous marks in the message information is greater than the number of the confirmation marks, the DDOS attack is determined.
Further, the determining, according to a second source IP and the first source IP in a pre-written white list, that a third source IP accessing the server to be protected is an unfamiliar IP traffic specifically includes: and if the source IP of the server to be protected is not in the second source IP in the white list or the first source IP which records the access of the server to be protected, judging that the third source IP which accesses the server to be protected is the strange IP flow.
Further, if the strange IP traffic is identified to be DDOS attack traffic according to the message information, the flow packet of the DDOS attack traffic is uploaded to a control plane of a programmable switch, and an alarm is issued, and then the method further includes: if the third source IP of the server to be protected is the second source IP in the white list, forwarding the traffic packet of the third source IP of the server to be protected to the server to be protected; if the third source IP of the server to be protected is the first source IP which records the access of the server to be protected, forwarding a flow packet of the third source IP of the server to be protected to the server to be protected; and if the strange IP flow is identified not to be the DDOS attack flow according to the message information, forwarding a flow packet of a third source IP of the server to be protected to the server to be protected.
Further, before the determining the operating state of the server to be protected according to the access traffic of the server to be protected, the method further includes: and setting a fourth source IP in a blacklist on the programmable switch, wherein the data message sent by the fourth source IP is a known attack message, and the programmable switch intercepts the data message of the fourth source IP.
One or more embodiments of the present specification provide a programmable switch-based DDOS defense apparatus, the apparatus comprising: the device comprises a determining unit, a judging unit and a judging unit, wherein the determining unit is used for determining the running state of a server to be protected according to the access flow of the server to be protected; the recording unit is used for dynamically training the programmable switch and recording a first source IP (Internet protocol) which has accessed the server to be protected when the server to be protected is judged to be in a normal state; the judging unit is used for judging that the server to be protected is in a suspected abnormal state, and if a third source IP accessing the server to be protected is judged to be strange IP flow according to a second source IP and the first source IP which are written in a white list in advance; and the uploading unit is used for uploading the DDOS attacked flow packet to a control plane of the programmable switch and sending an alarm if the strange IP flow is identified to be the DDOS attacked flow according to the message information.
One or more embodiments of the present specification provide a programmable switch-based DDOS defense apparatus, comprising:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to:
determining the running state of a server to be protected according to the access flow of the server to be protected; when the server to be protected is judged to be in a normal state, dynamically training the programmable switch, and recording a first source IP which has accessed the server to be protected; when the server to be protected is judged to be in a suspected abnormal state, if a third source IP accessing the server to be protected is judged to be strange IP flow according to a second source IP and the first source IP in a pre-written white list; and if the strange IP flow is identified to be DDOS attack flow according to the message information, uploading a flow packet of the DDOS attack flow to a control surface of the programmable switch, and sending an alarm.
One or more embodiments of the present specification provide a storage medium storing computer-executable instructions configured to: determining the running state of a server to be protected according to the access flow of the server to be protected; when the server to be protected is judged to be in a normal state, dynamically training the programmable switch, and recording a first source IP which has accessed the server to be protected; when the server to be protected is judged to be in a suspected abnormal state, if a third source IP accessing the server to be protected is judged to be strange IP flow according to a second source IP and the first source IP in a pre-written white list; and if the strange IP flow is identified to be DDOS attack flow according to the message information, uploading a flow packet of the DDOS attack flow to a control surface of the programmable switch, and sending an alarm.
The embodiment of the specification adopts at least one technical scheme which can achieve the following beneficial effects:
the method comprises the steps of determining the running state of a server to be protected according to the access flow of the server to be protected, judging whether a third source IP accessing the server to be protected is strange IP flow according to the running state, a first source IP recorded in the training process, a second source IP written in a white list in advance and message information, further identifying DDOS attack flow, uploading a DDOS flow packet to a control surface of a programmable switch, sending an alarm to a user, realizing DDOS flow identification through the programmable switch, reporting in time, ensuring the server to be protected to receive normal flow, and effectively saving user resources.
Drawings
In order to more clearly illustrate the embodiments of the present specification or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only some embodiments described in the present specification, and for those skilled in the art, other drawings can be obtained according to the drawings without any creative effort. In the drawings:
fig. 1 is a flowchart of a DDOS defense method based on a programmable switch according to an embodiment of the present application;
fig. 2 is a schematic diagram of a compiling process of a programmable switch according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a DDOS defense apparatus based on a programmable switch according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a DDOS defense device based on a programmable switch according to an embodiment of the present application.
Detailed Description
The embodiment of the specification provides a DDOS defense method, a device, equipment and a medium based on a programmable switch. In order to make those skilled in the art better understand the technical solutions in the present specification, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments of the present specification, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present specification without any creative effort shall fall within the protection scope of the present specification.
Distributed Denial of Service (DDOS) refers to that multiple attackers in different locations simultaneously attack one or more targets, or that an attacker controls multiple machines in different locations and uses these machines to attack a victim at the same time.
A complete DDOS attack system is composed of an attacker, a main control end, an agent end and an attack target. The main control end and the agent end are respectively used for controlling and actually launching the attack, wherein the main control end only issues commands without participating in the actual attack, and the agent end sends out actual attack packets of the DDoS. For computers at the main control end and the agent end, an attacker has control right or partial control right, and can hide and be undiscovered by various means in the attack process. Once the real attacker transmits the attack command to the master control end, the attacker can close or leave the network, and the master control end issues the command to each proxy host, so that the attacker can escape tracking. Each attack proxy host sends a large number of service request data packets to the target host, the data packets are disguised and the source of the data packets cannot be identified, and the service requested by the data packets usually consumes a large amount of system resources, so that the target host cannot provide normal service for users, and even the system is crashed.
It should be noted that Distributed Denial of Service (DDOS) DDOS attacks may be classified into ICMP Flood, UDP Flood, slowlores attack, Hash collision attack, SYN Flood attack, DNS Query Flood attack, and the like, where SYN Flood attack is a current mainstream attack method.
In embodiments of the present application, protection is primarily against DDOS attacks, which are SYN Flood attacks. As will be clear to those skilled in the art, the SYN Flood attack exploits the drawbacks of the TCP three-way handshake process, which includes: the client sends a TCP message containing a synchronization mark (SYN), after the server receives the SYN message of the client, the server returns a SYN + Acknowledgement mark (ACK) message, which indicates that the request of the client is received, and the client also returns an Acknowledgement message ACK to the server. In the case of SYN Flood attack, an attacker pretends that a large number of source IPs send SYN messages to the server, but the source IP addresses are forged and do not exist IP addresses, that is, the server cannot receive responses. Therefore, the server will maintain a huge waiting list, continuously send SYN + ACK messages, occupy a large amount of resources and cannot release, and the attacked server cannot receive new SYN requests and normal traffic cannot establish connection with the server.
Fig. 1 is a flowchart of a DDOS defense method based on a programmable switch according to an embodiment of the present application, and the following describes the embodiment of the present application with reference to the accompanying drawings, where the DDOS defense method based on a programmable switch includes the following steps:
step S102, determining the running state of the server to be protected according to the access flow of the server to be protected.
Further, before step S102, the method further includes: and configuring a server to be protected on the programmable switch, and setting a white list according to the known second source IP, wherein the flow of the second source IP in the white list can reach the server to be protected through the programmable switch. The method further comprises the following steps: the method comprises the steps of configuring a server to be protected on a programmable switch, and presetting a traffic threshold of a destination IP of the server to be protected, wherein the traffic threshold is used for ensuring the normal operation of the server to be protected. The method further comprises the following steps: and setting a fourth source IP in the blacklist on the programmable switch, wherein the data message sent by the fourth source IP is a known attack message, and the programmable switch intercepts the data message of the fourth source IP.
In an embodiment of the present application, all servers protected by a programmable switch are configured in advance, and a specific configuration scheme includes: firstly, configuring a target IP flow threshold value of each server to be protected on a programmable switch, wherein the flow threshold value is used for ensuring the normal operation of the server to be protected. For example, if the maximum value of the traffic supported by the destination IP192.168.100.8 server is 100M, and the traffic of the server in normal operation is 60M, the traffic threshold of the destination IP192.168.100.8 server is set to 60M, and if the maximum value of the traffic supported by the destination IP192.168.100.9 server is 10G, and the traffic of the server in normal operation is 8G, the traffic threshold of the destination IP192.168.100.9 server is set to 8G.
Secondly, setting a white list on the programmable switch according to a known second source IP, wherein the flow of the second source IP in the white list can reach the server to be protected through the programmable switch; setting a fourth source IP in a blacklist on a programmable switch, wherein a data message sent by the fourth source IP is a known attack message, the programmable switch intercepts the data message of the fourth source IP, the fourth source IP can be an attack source IP which is identified before or a known attack source IP, it needs to be noted that the fourth source IP in the blacklist is an invisible source IP, the data message sent by the fourth source IP is a suspicious attack message, and the programmable switch intercepts the suspicious attack message.
And step S104, when the server to be protected is judged to be in a normal state, dynamically training the programmable switch, and recording a first source IP which has accessed the server to be protected.
In one embodiment of the present application, dynamic training is performed on the programmable switch based on normal access traffic while the server to be protected is in a normal operating state. When the programmable switch is trained, selecting a time period with a better server running state, and recording an access record of a first source IP; when the training is stopped, the access record of the source IP is stopped. It should be noted that different time periods when the server is in a better operating state may be selected to perform multiple training, and the first source IP is found as much as possible through the learning process of performing multiple training according to different time periods. In addition, in the normal operation of the programmable switch, if the source IP is in the recorded access record of the first source IP, the source IP is considered to be normal traffic, that is, the unknown source IP has interacted normally with the server to be protected before.
And step S106, when the server to be protected is judged to be in a suspected abnormal state, if a third source IP accessing the server to be protected is judged to be strange IP flow according to a second source IP and the first source IP which are written in a white list in advance.
Further, step S106 specifically includes: if the access flow of the server to be protected exceeds a flow threshold, judging that the running state of the server to be protected is a suspected abnormal state; further comprising: and if the source IP of the server to be protected is not in the second source IP in the white list or the first source IP which records the access of the server to be protected, judging that the third source IP which accesses the server to be protected is strange IP flow.
In an embodiment of the present application, if the access traffic of the server to be protected exceeds a preset traffic threshold, it is determined that the operation state of the server is a suspected abnormal state, that is, the server may be attacked by an attack IP at this time. And then, judging the source IP accessing the server, and if the third source IP accessing the server is not the second source IP in the white list or the first source IP recorded in the training process, judging the third source IP accessing the server to be strange source IP flow.
In an embodiment of the present application, specific message information received by a server to be protected is counted, where the specific message information includes a number of synchronization flags (SYN) and a number of Acknowledgement flags (ACK); and counting the source IP of the message information, and storing the counted specific message information and the source IP of the specific message information in a register of the programmable switch. It should be noted that, although there are registers in the programmable switch, the size of the registers is limited, and the registers are usually tens of megabytes in capacity, and after a message is transmitted, the information of all messages cannot be stored in the registers due to the limitation of register storage, so that only the number of syncs and ACKs and the source IP are stored.
And S108, if the strange IP flow is identified to be DDOS attack flow according to the message information, uploading a flow packet of the DDOS attack flow to a control plane of the programmable switch, and sending an alarm.
Further, step S108 specifically includes: the message information comprises the number of the synchronous marks and the number of the confirmation marks, and if the number of the synchronous marks in the message information is larger than the number of the confirmation marks, the DDOS attack is determined.
In an embodiment of the present application, after determining that the third source IP accessing the server is an unfamiliar IP traffic in step S106, it is identified whether the unfamiliar IP traffic is a DDOS attack according to the specific message information. Specifically, if the number of the synchronization marks in the message information is greater than the number of the confirmation marks, the DDOS attack is determined. It should be noted that the DDOS attack may be a SYN FLOOD type DDOS attack. For DDOS attack of SYN FLOOD type, the programmable switch may perform statistics of a packet TCP FLAG for each protected server, for example, may perform statistics of TCP SYN number and TCP ACK number for a certain server, and further compare the SYN number and ACK number sent when a certain source IP is connected to a destination IP, and once the SYN number is greater than the ACK number, confirm that the source IP is DDOS attack of SYN FLOOD type.
In an embodiment of the present application, after recognizing that a third source IP accessing a server to be protected is a DDOS attack IP, the programmable switch forwards a data packet sent by the source IP to a control plane through a CPU, and may forward the packet to a monitoring server specified by a user to send attacked alarm information to the user. It should be noted that, the programmable switch includes a CPU and a plurality of physical ports, and a packet forwarded by the programmable switch is forwarded to a corresponding server through the physical port, and when the programmable switch recognizes a DDOS attack on the data plane, a DDOS data packet is uploaded by the programmable switch to the internal CPU for internal recognition to notify a user, but is not sent to the physical port, that is, the DDOS packet cannot reach the server.
After step S108, the method further comprises: if the third source IP of the server to be protected is the second source IP in the white list, forwarding a traffic packet of the third source IP of the server to be protected to the server to be protected; if the third source IP of the server to be protected is the first source IP which records the access of the server to be protected, forwarding a flow packet of the third source IP of the server to be protected to the server to be protected; and if the strange IP flow is not the DDOS attack flow according to the message information, forwarding a flow packet of a third source IP of the server to be protected to the server to be protected.
In an embodiment of the application, if a third source IP of a server to be protected is a first source IP that records that the server to be protected has been accessed, which indicates that the third source IP is a source IP that the server to be protected has been accessed in a normal operating state, and the third source IP is an interactive source IP, a traffic packet of the third source IP of the server to be protected is forwarded to the server to be protected, and forwarding of normal source IP traffic is completed through a programmable switch. If the third source IP of the server to be protected is the second source IP in the white list, that is, the third source IP is the white list source IP which is preset by the server to be protected and can be accessed, forwarding the traffic packet of the third source IP of the server to be protected to the server to be protected, and completing forwarding of the normal source IP traffic through the programmable switch.
In an embodiment of the application, after determining that the third source IP accessing the server is an unfamiliar IP traffic in step S106, if it is identified that the unfamiliar IP traffic is not DDOS attack traffic according to the message information, a traffic packet of the third source IP of the server to be protected is forwarded to the server to be protected.
In one embodiment of the present application, the programmable switch needs to be compiled, and fig. 2 is a schematic diagram of a compiling process of the programmable switch. Firstly, parameter configuration is carried out, a message enters a parameter analysis process from a message receiving stage of a certain physical port of an exchanger, and specifically, the message enters an iparser from an ingress stage of a certain port of the exchanger. After the packet header parsing process of the ingress stage, a logical processing procedure (MAU) is entered, in which a traffic statistic (acl _ meter) is included, since a message enters via a certain physical port of the programmable switch, a message of one server can enter from a plurality of physical ports, and the purpose of the traffic statistic is to count access data of the service for determining the traffic of the access server. The logic processing process also comprises source IP training, message information statistics, two-layer exchange and three-layer routing processing. The source IP training may be sip _ spare, which refers to performing dynamic training on a source IP in a training phase to determine a first source IP that has accessed a server; the message information statistics may be SYN _ count and ACK _ count, and the purpose is to count the number of SYNs and the number of ACKs in the message information. In addition, the two-tier switching may be L2-control, including mac learning, vlan forwarding, etc., and the three-tier routing process may be L3-control, such as nexthop, nat, etc. It should be noted that L2-control and L3-control are used for forwarding two or three layers of normal traffic, that is, through a logic processing procedure, the programmable switch can recognize DDOS traffic on a data plane, and can also implement forwarding of L2 and L3 of normal traffic, thereby saving user cost.
After the message is subjected to the logic processing process, the message enters a packet header assembly process and an editable processing process of the message at an entry stage, that is, the message enters an idparser and a TM (transaction manager), and it should be noted that after the message enters the idparser through the MAU, one packet comes out at this time, and in some scenes, the message is required to be copied in the TM, a plurality of packets are copied and sent out, and when a plurality of packets need to be copied, the packet can be carried out in the TM. Finally, the message enters the egress stage, i.e., the stages of egres, and leaves the switch after being subjected to eparser (packet header parsing in the stages of egres) and eparser (packet header assembly in the stages of egres), respectively.
Fig. 3 is a schematic structural diagram of a DDOS defense apparatus based on a programmable switch provided in an embodiment of the present application, where a determining unit 301 is configured to determine an operating state of a server to be protected according to an access traffic of the server to be protected; a recording unit 302, configured to perform dynamic training on the programmable switch when it is determined that the server to be protected is in a normal state, and record a first source IP that has accessed the server to be protected; a determining unit 303, configured to determine that a third source IP accessing the server to be protected is strange IP traffic if the third source IP is determined to be in a suspected abnormal state according to a second source IP and the first source IP in a pre-written white list; and an uploading unit 304, configured to, if it is identified that the strange IP traffic is DDOS attack traffic according to the message information, upload a traffic packet attacked by DDOS to a control plane of the programmable switch, and send an alarm.
Fig. 4 is a schematic structural diagram of a DDOS defense device based on a programmable switch provided in an embodiment of the present application, including at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to: determining the running state of a server to be protected according to the access flow of the server to be protected; when the server to be protected is judged to be in a normal state, dynamically training the programmable switch, and recording a first source IP which has accessed the server to be protected; when the server to be protected is judged to be in a suspected abnormal state, if a third source IP accessing the server to be protected is judged to be strange IP flow according to a second source IP and the first source IP in a pre-written white list; and if the strange IP flow is identified to be DDOS attack flow according to the message information, uploading a flow packet of the DDOS attack flow to a control surface of the programmable switch, and sending an alarm.
An embodiment of the present application further provides a storage medium, in which computer-executable instructions are stored, where the computer-executable instructions are configured to: determining the running state of a server to be protected according to the access flow of the server to be protected; when the server to be protected is judged to be in a normal state, dynamically training the programmable switch, and recording a first source IP which has accessed the server to be protected; when the server to be protected is judged to be in a suspected abnormal state, if a third source IP accessing the server to be protected is judged to be strange IP flow according to a second source IP and the first source IP in a pre-written white list; and if the strange IP flow is identified to be DDOS attack flow according to the message information, uploading a flow packet of the DDOS attack flow to a control surface of the programmable switch, and sending an alarm.
In one or more embodiments provided by the application, an operating state of a server to be protected is determined according to access traffic of the server to be protected, whether a third source IP accessing the server to be protected is strange IP traffic is judged according to the operating state, a first source IP recorded in a training process, a second source IP written in a white list in advance and message information, DDOS attack traffic is further identified, a DDOS traffic packet is uploaded to a control surface of a programmable switch, an alarm is sent to a user, DDOS traffic identification is achieved through the programmable switch, the DDOS traffic is reported in time, and normal traffic is received by the server to be protected.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the embodiments of the apparatus, the device, and the nonvolatile computer storage medium, since they are substantially similar to the embodiments of the method, the description is simple, and for the relevant points, reference may be made to the partial description of the embodiments of the method.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The above description is merely one or more embodiments of the present disclosure and is not intended to limit the present disclosure. Various modifications and alterations to one or more embodiments of the present description will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement or the like made within the spirit and principle of one or more embodiments of the present specification should be included in the scope of the claims of the present specification.
Claims (10)
1. A method of DDOS defense based on programmable switches, the method comprising:
determining the running state of a server to be protected according to the access flow of the server to be protected;
when the server to be protected is judged to be in a normal state, dynamically training the programmable switch, and recording a first source IP which has accessed the server to be protected;
when the server to be protected is judged to be in a suspected abnormal state, if a third source IP accessing the server to be protected is judged to be strange IP flow according to a second source IP and the first source IP in a pre-written white list;
and if the strange IP flow is identified to be DDOS attack flow according to the message information, uploading a flow packet of the DDOS attack flow to a control surface of the programmable switch, and sending an alarm.
2. A programmable switch based DDOS defense method according to claim 1, characterized in that before said determining the operation status of the server to be protected according to the access traffic of the server to be protected, the method further comprises:
and configuring a server to be protected on a programmable switch, and setting a white list according to the known second source IP, wherein the flow of the second source IP in the white list can reach the server to be protected through the programmable switch.
3. A programmable switch based DDOS defense method according to claim 1, characterized in that before said determining the operation status of the server to be protected according to the access traffic of the server to be protected, the method further comprises: configuring a server to be protected on a programmable switch, and presetting a traffic threshold of a destination IP of the server to be protected, wherein the traffic threshold is used for ensuring the normal operation of the server to be protected;
the determining that the server to be protected is in a suspected abnormal state specifically includes:
and if the access flow of the server to be protected exceeds the flow threshold, judging that the running state of the server to be protected is a suspected abnormal state.
4. The DDOS defense method based on the programmable switch according to claim 1, wherein if the strange IP traffic is identified as DDOS attack traffic according to the message information, the method specifically comprises:
and the message information comprises the number of the synchronous marks and the number of the confirmation marks, and if the number of the synchronous marks in the message information is greater than the number of the confirmation marks, the DDOS attack is determined.
5. The DDOS defense method based on programmable switch according to claim 1, wherein the determining that the third source IP accessing the server to be protected is strange IP traffic according to the second source IP and the first source IP in the pre-written white list specifically comprises:
and if the source IP of the server to be protected is not in the second source IP in the white list or the first source IP which records the access of the server to be protected, judging that the third source IP which accesses the server to be protected is the strange IP flow.
6. The DDOS defense method based on programmable switch according to claim 1, wherein if the strange IP traffic is identified as DDOS attack traffic according to the message information, the method uploads the traffic packet of the DDOS attack traffic to a control plane of the programmable switch and sends an alarm, and thereafter the method further comprises:
if the third source IP of the server to be protected is the second source IP in the white list, forwarding the traffic packet of the third source IP of the server to be protected to the server to be protected;
if the third source IP of the server to be protected is the first source IP which records the access of the server to be protected, forwarding a flow packet of the third source IP of the server to be protected to the server to be protected;
and if the strange IP flow is identified not to be the DDOS attack flow according to the message information, forwarding a flow packet of a third source IP of the server to be protected to the server to be protected.
7. A programmable switch based DDOS defense method according to claim 1, characterized in that before said determining the operational status of the server to be protected according to the access traffic of the server to be protected, the method further comprises:
and setting a fourth source IP in a blacklist on the programmable switch, wherein the data message sent by the fourth source IP is a known attack message, and the programmable switch intercepts the data message of the fourth source IP.
8. A programmable switch based DDOS defense apparatus, the apparatus comprising:
the device comprises a determining unit, a judging unit and a judging unit, wherein the determining unit is used for determining the running state of a server to be protected according to the access flow of the server to be protected;
the recording unit is used for dynamically training the programmable switch and recording a first source IP (Internet protocol) which has accessed the server to be protected when the server to be protected is judged to be in a normal state;
the judging unit is used for judging that the server to be protected is in a suspected abnormal state, and if a third source IP accessing the server to be protected is judged to be strange IP flow according to a second source IP and the first source IP which are written in a white list in advance;
and the uploading unit is used for uploading the DDOS attacked flow packet to a control plane of the programmable switch and sending an alarm if the strange IP flow is identified to be the DDOS attacked flow according to the message information.
9. A programmable switch-based DDOS defense apparatus, comprising:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to:
determining the running state of a server to be protected according to the access flow of the server to be protected;
when the server to be protected is judged to be in a normal state, dynamically training the programmable switch, and recording a first source IP which has accessed the server to be protected;
when the server to be protected is judged to be in a suspected abnormal state, if a third source IP accessing the server to be protected is judged to be strange IP flow according to a second source IP and the first source IP in a pre-written white list;
and if the strange IP flow is identified to be DDOS attack flow according to the message information, uploading a flow packet of the DDOS attack flow to a control surface of the programmable switch, and sending an alarm.
10. A storage medium storing computer-executable instructions, the computer-executable instructions configured to:
determining the running state of a server to be protected according to the access flow of the server to be protected;
when the server to be protected is judged to be in a normal state, dynamically training the programmable switch, and recording a first source IP which has accessed the server to be protected;
when the server to be protected is judged to be in a suspected abnormal state, if a third source IP accessing the server to be protected is judged to be strange IP flow according to a second source IP and the first source IP in a pre-written white list;
and if the strange IP flow is identified to be DDOS attack flow according to the message information, uploading a flow packet of the DDOS attack flow to a control surface of the programmable switch, and sending an alarm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110404920.XA CN112968913B (en) | 2021-04-15 | 2021-04-15 | DDOS defense method, device, equipment and medium based on programmable switch |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110404920.XA CN112968913B (en) | 2021-04-15 | 2021-04-15 | DDOS defense method, device, equipment and medium based on programmable switch |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112968913A true CN112968913A (en) | 2021-06-15 |
| CN112968913B CN112968913B (en) | 2022-04-15 |
Family
ID=76280527
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110404920.XA Active CN112968913B (en) | 2021-04-15 | 2021-04-15 | DDOS defense method, device, equipment and medium based on programmable switch |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112968913B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114826741A (en) * | 2022-04-27 | 2022-07-29 | 新华三信息安全技术有限公司 | Attack monitoring system and attack monitoring method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107018084A (en) * | 2017-04-12 | 2017-08-04 | 南京工程学院 | DDOS attack defending against network security system and method based on SDN frameworks |
| WO2018059480A1 (en) * | 2016-09-29 | 2018-04-05 | 腾讯科技(深圳)有限公司 | Method, device, and system for defending against network attack |
| CN107968785A (en) * | 2017-12-03 | 2018-04-27 | 浙江工商大学 | A kind of method of defending DDoS (Distributed Denial of Service) attacks in SDN data centers |
| CN110336830A (en) * | 2019-07-17 | 2019-10-15 | 山东大学 | A kind of ddos attack detection system based on software defined network |
-
2021
- 2021-04-15 CN CN202110404920.XA patent/CN112968913B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018059480A1 (en) * | 2016-09-29 | 2018-04-05 | 腾讯科技(深圳)有限公司 | Method, device, and system for defending against network attack |
| CN107018084A (en) * | 2017-04-12 | 2017-08-04 | 南京工程学院 | DDOS attack defending against network security system and method based on SDN frameworks |
| CN107968785A (en) * | 2017-12-03 | 2018-04-27 | 浙江工商大学 | A kind of method of defending DDoS (Distributed Denial of Service) attacks in SDN data centers |
| CN110336830A (en) * | 2019-07-17 | 2019-10-15 | 山东大学 | A kind of ddos attack detection system based on software defined network |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114826741A (en) * | 2022-04-27 | 2022-07-29 | 新华三信息安全技术有限公司 | Attack monitoring system and attack monitoring method |
| CN114826741B (en) * | 2022-04-27 | 2024-02-09 | 新华三信息安全技术有限公司 | Attack monitoring system and attack monitoring method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112968913B (en) | 2022-04-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Wang et al. | SGS: Safe-guard scheme for protecting control plane against DDoS attacks in software-defined networking | |
| Lim et al. | A SDN-oriented DDoS blocking scheme for botnet-based attacks | |
| US9491189B2 (en) | Revival and redirection of blocked connections for intention inspection in computer networks | |
| US8776207B2 (en) | Load balancing in a network with session information | |
| Masoud et al. | On preventing ARP poisoning attack utilizing Software Defined Network (SDN) paradigm | |
| US11503073B2 (en) | Live state transition using deception systems | |
| WO2020143119A1 (en) | Method, device and system for defending internet of things against ddos attack, and storage medium | |
| CN105991655B (en) | Method and apparatus for mitigating neighbor discovery-based denial of service attacks | |
| Wang et al. | SDSNM: A software-defined security networking mechanism to defend against DDoS attacks | |
| CN111800401B (en) | Service message protection method, device, system and computer equipment | |
| CN110266650B (en) | Identification method of Conpot industrial control honeypot | |
| CN111431881A (en) | Method and device for trapping nodes based on windows operating system | |
| Wang et al. | Efficient and low‐cost defense against distributed denial‐of‐service attacks in SDN‐based networks | |
| Bhandari | Survey on DDoS attacks and its detection & defence approaches | |
| CN112968913B (en) | DDOS defense method, device, equipment and medium based on programmable switch | |
| Al-Duwairi et al. | ISDSDN: mitigating SYN flood attacks in software defined networks | |
| Bandi et al. | FastMove: Fast IP switching moving target defense to mitigate DDoS attacks | |
| Boppana et al. | Analyzing the vulnerabilities introduced by ddos mitigation techniques for software-defined networks | |
| Dayal et al. | SD-WAN Flood Tracer: Tracking the entry points of DDoS attack flows in WAN | |
| Kong et al. | Combination attacks and defenses on sdn topology discovery | |
| Salim et al. | Preventing ARP spoofing attacks through gratuitous decision packet | |
| US11838197B2 (en) | Methods and system for securing a SDN controller from denial of service attack | |
| Sanjeetha et al. | Mitigation of controller induced DDoS attack on primary server in high traffic scenarios of software defined networks | |
| CN115208606A (en) | Method, system and storage medium for implementing network security protection | |
| Song et al. | A novel frame switching model based on virtual MAC in SDN |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |